Azure Active Directory

Welcome to the Azure Active Directory suggestions and feedback site! We love hearing from you. If you have suggestions, please submit an idea or vote up an idea. We are monitoring the site actively.

Thank you for joining our community and helping improve Azure AD!

Wehave a new log in experience integrated with Azure AD, and we stronglyrecommend you log in with your Azure AD (Office 365) account. If yourUserVoice account is the same email address as your Azure AD account, yourprevious activities will be automatically mapped to your Azure AD account.  You can read more here for details: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Putting-customers-first-for-f...

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable MFA when a delegated partner (CSP) accesses a customer tenant

    We have enabled MFA for users in the AAD tenant associated with our CSP enrollment. MFA works properly when we access the Partner Center portal; however, MFA does not work when we directly access a customer tenant, e.g., Azure Management Portal, using our CSP tenant credentials. For example, accessing https://portal.azure.com/ using our CSP credentials invokes MFA but accessing https://portal.azure.com/<customer_tenant> using the same credentials does not.

    According to Microsoft support, this is because MFA can only be triggered for users in the AAD tenant, not the partner's CSP tenant.

    18 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Enable app password creation when MFA is enforced using Azure Conditional Access

    I'm actually implementing this for a customer and this one small thing has caused a BIG hold up.

    I find it very odd that MFA being enabled from 2 different places would have a different effect. If MFA is enabled directly on a user in the Azure Classic Portal then, the app password creation option is presented during the MFA setup process. If MFA is enabled using Conditional Access policies in the new Azure Portal then, the app password creation option is not presented at all. Both are implementing the same function essentially but the latter blocks the apps that…

    102 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add MFA support to Secure the Windows 10 logon

    Creating a way to secure the Logon to a Windows 10 workstation with MFA would then remove much of the complexity required to secure all the applications installed upon it (such as DA etc).

    This would need to have the ability to store offline logins somehow which is possible with RSA SecurID.

    It would and the final touches to a really great solution.

    484 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    42 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. Azure MultiFactor Service

    Dear Microsoft,

    We would like to be able to programmatically set the "White List IP's" in Azure Multi Factor Service. In some cases , our end points change IP Address, and we would like to be able to set these IP Addresses using a powershell script to similar. This would be particularly important if we have a large number of end points changing IP address on a regular basis.

    Thank you.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Have authentication app option for all users by default

    Have authentication app option for all users by default

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Azure MFA is 2-step. It needs to be 2-factor.

    Our PCI auditor told us that Azure MFA will not be compliant with DSS 3.2 starting in January 2018.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide support for YubiKey / FIDO as the MFA

    Many other services (Google Apps, Facebook etc) now allow this and would be great to have in Azure AD.

    https://www.yubico.com/about/background/fido/

    141 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Improve Azure Authenticator App to require password or touch id validation before approving push request.

    Currently, if you receive a push notification to the Azure Authenticator app while the phone is locked, merely swiping the notification and selecting View allows access to approve (or deny) the request. Other authenticator apps (Google, Lastpass, etc.) require the device password or touch id (on iOS) before the request can be approved. This is a security flaw and needs to be fixed.

    35 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. Azure MFA Trusted IP limitation of 50 address ranges

    Currently per the article: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next the Trusted IP for configuration "For requests from a specific range of public IPs" is restricted to a hard limit of 50 IP Address ranges.

    Please provide the ability to extend this number as there are companies like ours where the limit of 50 IP Address ranges makes this not usable for production environments.

    33 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. Restrict MFA App registration to device with the same phone number assigned.

    Some organizations would like to prevent a user from having Mobile text/SMS/App from being 2 separate devices but rather require by policy that they be the same device. IE during registration of the OATH token in Azure Authentication check that mobile phone on the device matches the mobile phone registered in Azure MFA.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Auto-Upgrade support for Azure MFA server

    Please add support for automatic upgrade of the Azure MFA server like you did with the Azure AD Connect.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add Windows Server 2016 support for Azure MFA server

    I hope that Microsoft will soon add for Windows Server 2016 for the Azure MFA server. Perhaps it should be added to Windows as a new role

    13 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Improve the support of the MFA product for clients setup up the initial configuration. Offering links to a forum is poor & dissappointing !

    Initial setups/configurations can often be the stage that requires the most support, and offering links to a forum are insufficient support, for a paid product. There should be at least an improved support level for the first month, during which setup and config questions should be able to be submitted by email for a tech support reply or phone call. The current documentation is quite vague in areas such as setting up a VPN to use the MFA on-premises solution, with many users submitting questions to forums, trying to get it working.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Better documentation on Multi Factor Authentication

    For Office 365 users, the MFA on-boarding documentation does not cover the need to turn on ADAL for Exchange Online and Skype For Business. Documentation should be updated or ADAL should default to ON for these applications in Office 365.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Automatically enable MFA for all members of an Azure AD Group.

    Add the ability to automatically enable MFA for all members of an Azure AD group as they are added, in addition ask if MFA should be automatically disabled for users being removed. This could be via an option within the users setting of an Azure AD group.

    79 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Today, you can use conditional access to enforce MFA on a per-group basis. This is Microsoft’s recommended enforcement model.
    We will be updating the per-user enforcement of MFA to more closely match how conditional access works, but this is still in the design phase.

    Richard

  16. Please allow granular RADIUS authentication filtering

    As it stands, we can use the on-premises MFA server to authenticate RADIUS clients in an all-or-nothing fashion. Our real-world requirements include only letting people in a specific group into a specific VPN endpoint (RADIUS client), while allowing a different group to get into a different client. It would also be very useful to be able to say, for a single client to accept users in group A with MFA challenge, but group B without. A rich rule set like ADFS provides would be even nicer, but intermediate steps in that direction soon would be a huge improvements.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. User Opt-In to Azure MFA with Office 365

    We have enabled MFA at our Office 365 tenant, but requires Admins to enable users. For organizations that would like to phase MFA in for their users, it would be nice for users to self opt-in sort of like they do with personal email accounts. Then over time, administrators can "require" MFA by a certain date for users holding out. One way to handle this is to include a link for the end user under user settings to "Sign up for Multi-Factor Authentication". Right now, nothing appears under a users security settings until they are enabled by an administrator. Thx!

    80 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    17 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. MFA on-premises use security questions for fallback

    In the on-premises MFA server there's the ability to enable "use security questions for fallback". This is great but only works for newly imported accounts. Can this be enforced on all users?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. On-Premises MFA logging, user change MFA method

    There's much logging in the on-premises MFA server, but it's missing the change for MFA method by the enduser at the moment. Can be handy for traceback (including the machine name from which the change has been made) and seeing if there's a possible identity theft.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. MFA

    Update the Multi Factor Authentication (MFA) Gui so we can see any account that is NOT enabled or enforced. Seems like a basic setting but I cannot find any resource to help identify these risks and it is troubling (and manual).

    12 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Multi-factor Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base